The current state-of-the-art for network firewalls, packet analyzers, and filters is for the firewall device, either a physical “box” or a virtual machine, to receive network traffic in-line (in series) with the rest of the network traffic. The standard configuration of such a firewall is for the device to sit between a local host and remote host, where all network traffic between the two hosts must pass through and clear the firewall before being sent to its destination. The use of an in-line packet filter is customary because of its effectiveness in being able to block in real-time any connections containing malicious network traffic.
Despite this effectiveness, in-line filtering is not always practical to implement with the latest types of network devices and designs. One example of when an in-line packet filter may not be practical is in a hosted environment, such as those provided by Virtual Private Servers (VPS's), or cloud network providers, such as Amazon's Virtual Private Cloud (VPC) and Elastic Compute Cloud (EC2) services. These challenges with the cloud systems are due to the difficulty in configuring such in-line firewalls to operate properly. Similarly, under network outage conditions, in-line firewalls will not be operating properly. In-line filters can also be a problem for users who are running devices that are extremely sensitive to network latency. Likewise, it may be beneficial to users of a network tap that monitors network traffic to filter the traffic if a malicious connection is detected. What is needed, therefore, is a network firewall that has the ability to perform all of the functions of an in-line firewall, but can minimize network latency, perform under network outage conditions, work in a hosted or cloud environment and can also take advantage of unique, previously unknown benefits of being out-of-band of the flow of network traffic.